Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:D2DC1DBD92C5EE006A0E379C7318BFB2
HistoryJun 21, 2024 - 1:01 p.m.

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

2024-06-2113:01:00
The Hacker News
thehackernews.com
16
phantom#spike
malware
phishing
pakistan
backdoor
remote access
zip files
military-themed
command line
rat
security breach

7.2 High

AI Score

Confidence

High

JSON

Malware

Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor.

Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence.

“While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

The campaign is notable for its lack of sophistication and the use of simple payloads to achieve remote access to target machines.

Cybersecurity

The email messages come bearing a ZIP archive that purports to be meeting minutes related to the International Military-Technical Forum Army 2024, a legitimate event organized by the Ministry of Defense of the Russian Federation. It’s set to be held in Moscow in mid-August 2024.

Present within the ZIP file is a Microsoft Compiled HTML Help (CHM) file and a hidden executable (“RuntimeIndexer.exe”), the former of which, when opened, displays the meeting minutes as well as a couple of images, but stealthily runs the bundled binary as soon as the user clicks anywhere on the document.

The executable is designed to function as a backdoor that establishes connections with a remote server over TCP in order to retrieve commands that are subsequently run on the compromised host.

PHANTOM#SPIKE Malware

In addition to passing along system information, it executes the commands via cmd.exe, gathers the output of the operation, and exfiltrates it back to the server. This includes running commands like systeminfo, tasklist, curl to extract the public IP address using ip-api[.]com, and schtasks to set up persistence.

“This backdoor essentially functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system,” the researchers said.

“The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7.2 High

AI Score

Confidence

High

JSON